LabEx
Log InJoin Free

Stop Hydra Attacks Early

HydraBeginner
Practice Now

Introduction

In this lab, we will explore how to stop Hydra attacks early by leveraging its options to limit the number of attempts. We'll begin by setting up an FTP server using vsftpd and configuring it with multiple user accounts, testuser1 and testuser2, each with their own password. This setup will allow us to simulate a scenario where Hydra attempts to crack multiple accounts simultaneously.

The lab will then guide you through using the -f option to stop Hydra after the first successful login and the -F option with a multi-host list. Finally, we will compare the behavior of -f and -F to understand how they can be used to mitigate Hydra attacks.

Set Up FTP with Multiple Credentials

In this step, we will set up an FTP server and configure it with multiple user credentials. This will allow us to test Hydra's ability to crack multiple accounts simultaneously. We'll use vsftpd (Very Secure FTP Daemon) as our FTP server.

First, let's install vsftpd. Open your terminal and execute the following command:

sudo apt update
sudo apt install vsftpd -y

Next, we need to configure vsftpd. We'll start by creating a backup of the original configuration file. This is a good practice before making any changes to system configuration files.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

Now, let's edit the configuration file /etc/vsftpd.conf using nano. This file controls the behavior of the FTP server.

sudo nano /etc/vsftpd.conf

Inside the nano editor, add or modify the following lines. These settings will disable anonymous access, enable local user logins, allow write access, and chroot local users to their home directories for security.

anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
listen=YES
listen_ipv6=NO

To save the file in nano:

  1. Press Ctrl + X to exit.
  2. Press Y to confirm saving.
  3. Press Enter to confirm the filename.

After saving the file, check the configuration file to ensure the changes were applied correctly, using the following command:

sudo cat /etc/vsftpd.conf | grep -E "^(anonymous_enable|local_enable|write_enable|chroot_local_user|listen)"

Make sure the output shows the same configuration as the one we added.

Now, let's create multiple user accounts. We'll create two users: testuser1 and testuser2, and set passwords for them. These users will be used by Hydra to attempt to log in.

Create testuser1 with a home directory:

sudo useradd -m testuser1

Set the password for testuser1 using a non-interactive command:

echo 'testuser1:password123' | sudo chpasswd

Create testuser2 with a home directory:

sudo useradd -m testuser2

Set the password for testuser2 using a non-interactive command:

echo 'testuser2:password456' | sudo chpasswd

These commands are non-interactive and will create the users directly without prompting for input, making them more reliable in automated environments.

Now, we need to fix the home directory permissions for the chroot configuration. When chroot_local_user=YES is enabled, the user's home directory must not be writable by the user for security reasons:

sudo chmod 755 /home/testuser1
sudo chmod 755 /home/testuser2

Create a writable subdirectory for each user where they can upload files:

sudo mkdir /home/testuser1/files
sudo mkdir /home/testuser2/files
sudo chown testuser1:testuser1 /home/testuser1/files
sudo chown testuser2:testuser2 /home/testuser2/files

Next, restart the vsftpd service to apply the changes we made to the configuration file and to recognize the new users.

sudo service vsftpd restart

Now, let's test the FTP server to ensure it's running correctly and that our new users can log in. You can use the ftp command-line client to connect to the server. Since we are running the server locally, we can connect to localhost.

ftp localhost

You will be prompted for a username. Enter testuser1 and then the password password123. If everything is configured correctly, you should see a message indicating you are logged in.

Connected to localhost.
220 (vsFTPd 3.0.3)
Name (localhost:labex): testuser1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

You can type bye to exit the FTP client.

ftp> bye
221 Goodbye.

Now, let's prepare the files that Hydra will use for its attack. Navigate to your ~/project directory, which is your default working directory.

cd ~/project

Create a file named users.txt in the ~/project directory. This file will contain the usernames that Hydra will attempt to use.

nano users.txt

Add the following usernames to users.txt:

testuser1
testuser2

Save the file and exit nano.

Next, create a file named passwords.txt in the ~/project directory. This file will contain a list of passwords, including the correct ones for our test users, along with some common incorrect passwords.

nano passwords.txt

Add the following passwords to passwords.txt:

password123
password456
password
123456
qwerty

Save the file and exit nano.

We now have an FTP server set up with multiple user accounts and a list of usernames and passwords that Hydra can use to attempt to crack the accounts.

Run with -f to Stop After First Pair

In this step, we will use the -f option with Hydra. The -f option tells Hydra to stop after finding the first valid username/password pair for a single target. This is useful when you only need to find one valid account on a specific service and don't want Hydra to continue trying other combinations after a successful login.

Ensure you are in the ~/project directory.

cd ~/project

Now, let's run Hydra against our FTP server using the username and password lists we created in the previous step. We will include the -f option.

hydra -L users.txt -P passwords.txt localhost ftp -f

Let's break down this command:

  • hydra: The command-line tool for brute-forcing.
  • -L users.txt: Specifies the file containing the list of usernames (users.txt in the current directory).
  • -P passwords.txt: Specifies the file containing the list of passwords (passwords.txt in the current directory).
  • localhost: The target FTP server's address.
  • ftp: The service protocol to attack (FTP in this case).
  • -f: This is the crucial option that tells Hydra to stop after finding the first valid username/password pair.

Observe the output in your terminal. Hydra will attempt to log in using the usernames and passwords from the lists. As soon as it finds a valid combination (e.g., testuser1:password123), it will display the successful login and then stop its operation.

The output should look similar to this:

Hydra v9.6 (c) 2024 by van Hauser/THC & David Maciejak - Please use caution!

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-29 14:41:46
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:2/p:5), ~1 try per task
[DATA] attacking ftp://localhost:21/
[21][ftp] host: localhost   login: testuser1   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-29 14:41:47

Notice that Hydra stopped immediately after finding the first valid combination (testuser1:password123). Without the -f option, Hydra would have continued trying all other combinations in the passwords.txt file for testuser1, and then moved on to testuser2 and tried all passwords for that user as well.

This option is particularly useful when you are testing a specific service and only need to verify that at least one account is vulnerable, saving significant time and resources.

Test -F with Multi-Host List

In this step, we will explore the -F option in Hydra. Unlike -f, which stops after finding the first valid credential pair for a single host, -F stops after finding the first valid credential pair across all hosts in a list. This is particularly useful when you are targeting multiple systems and only need to find one vulnerable entry among them.

To demonstrate this, we'll simulate a multi-host scenario. Since we only have one virtual machine, we'll use localhost multiple times in our host list to simulate different targets.

First, ensure you are in the ~/project directory.

cd ~/project

Now, let's create a file named hosts.txt in your ~/project directory. This file will contain a list of target hosts.

nano hosts.txt

Add the following lines to hosts.txt:

localhost
localhost

Save the file and exit nano. By listing localhost twice, we are telling Hydra to treat it as two separate targets, even though they point to the same machine.

Now, we'll run Hydra with the -F option, targeting the list of hosts specified in hosts.txt.

hydra -L users.txt -P passwords.txt -M hosts.txt ftp -F

Let's break down this command:

  • -L users.txt: Specifies the file containing the list of usernames.
  • -P passwords.txt: Specifies the file containing the list of passwords.
  • -M hosts.txt: This is the new option. It specifies the file containing the list of target hosts (hosts.txt in the current directory).
  • ftp: The service protocol to attack.
  • -F: This is the crucial option that tells Hydra to stop after finding the first successful login across all hosts in the list.

Observe the output in your terminal. Hydra will attempt to log in to each host in the hosts.txt file using the usernames and passwords from the lists. As soon as it finds a valid combination on any of the hosts, it will display the successful login and then stop attacking all hosts listed in hosts.txt.

The output should look similar to this:

Hydra v9.6 (c) 2024 by van Hauser/THC & David Maciejak - Please use caution!

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-29 14:42:10
[DATA] max 10 tasks per 2 servers, overall 20 tasks, 10 login tries (l:2/p:5), ~1 try per task
[DATA] attacking ftp://(2 targets):21/
[21][ftp] host: localhost   login: testuser1   password: password123
[STATUS] attack finished for localhost (valid pair found)
2 of 2 targets successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-29 14:42:11

Even though we have two localhost entries in hosts.txt, Hydra stops after finding the first successful login on the first localhost instance. It does not proceed to attempt to find credentials for the second localhost entry, demonstrating the effect of the -F option.

The -F option is highly useful when you are targeting multiple systems and only need to find one vulnerable system to achieve your objective. It can significantly save time and computational resources by stopping the attack as soon as a vulnerability is found on any of the listed targets.

Compare -f and -F Behavior

In this step, we will directly compare the behavior of the -f and -F options to solidify your understanding of their differences. We'll use the same setup as in the previous steps: an FTP server running on localhost, the users.txt and passwords.txt files, and the hosts.txt file containing two entries for localhost.

First, let's re-run the command using the -f option. This command targets a single host (localhost) and stops after finding the first valid credential for that specific host.

hydra -L users.txt -P passwords.txt localhost ftp -f

As we observed in Step 2, Hydra will find testuser1:password123 and then stop. It does not attempt to find testuser2:password456 for localhost.

Now, let's re-run the command using the -F option. This command targets a list of hosts (hosts.txt) and stops after finding the first valid credential across any of the hosts in that list.

hydra -L users.txt -P passwords.txt -M hosts.txt ftp -F

As we observed in Step 3, Hydra will find testuser1:password123 on the first localhost entry in hosts.txt and then stop. It does not proceed to check the second localhost entry in the hosts.txt file.

The key difference lies in how Hydra interprets the target and when it decides to stop:

  • -f (single target): When you specify a single target (e.g., localhost), -f tells Hydra to stop as soon as it finds any valid username/password pair for that specific target. It will not continue to search for other valid credentials on the same target.

  • -F (multi-host list): When you specify a list of targets using -M, -F tells Hydra to stop as soon as it finds any valid username/password pair on any of the hosts in that list. It will not continue to search for other valid credentials on the same host, nor will it proceed to check subsequent hosts in the list.

To further illustrate the difference, consider a hypothetical scenario where you are scanning a network with multiple FTP servers: ftp1.example.com, ftp2.example.com, and ftp3.example.com.

  • If you use -f and target ftp1.example.com, Hydra will find the first valid credential on ftp1.example.com and stop. If you then want to check ftp2.example.com, you would need to run a separate Hydra command for it.

  • If you put all three servers in a hosts.txt file and use -F, Hydra will start checking ftp1.example.com. If it finds a valid credential there, it will immediately stop the entire operation, without even attempting to connect to ftp2.example.com or ftp3.example.com.

In summary:

  • Use -f when you are focusing on a single target and want to find at least one valid credential for it.
  • Use -F when you are scanning multiple targets and want to stop the entire operation as soon as any valid credential is found on any of the targets.

This concludes the lab. You have successfully set up an FTP server, configured multiple user accounts, and used Hydra to crack the accounts, exploring the -f and -F options to control Hydra's attack behavior.

Summary

In this lab, you have learned how to control Hydra's attack behavior using the -f and -F options. You began by setting up a local FTP server using vsftpd and configuring it with multiple user accounts (testuser1 and testuser2) to simulate a real-world scenario. You also prepared users.txt and passwords.txt files for Hydra to use.

You then used the -f option to instruct Hydra to stop after finding the first valid username/password pair for a single target, demonstrating how to efficiently find a single vulnerable account. Following this, you explored the -F option with a multi-host list (hosts.txt), learning how Hydra can stop an entire multi-target attack as soon as a single valid credential is found on any of the listed hosts.

Finally, you compared the distinct behaviors of -f and -F, understanding their respective use cases: -f for stopping after the first success on a single target, and -F for stopping after the first success across multiple targets. This knowledge is crucial for optimizing brute-force attacks and managing resources effectively.

Related Hydra Courses
Hydra for Beginners

Hydra for Beginners

cybersecurityhydrakali
Hydra Cybersecurity Attack Labs

Hydra Cybersecurity Attack Labs

cybersecurityhydrakali